Massachusetts CORI* Reform

CORI reform began in 2010, most notably with “ban-the-box” requirements. Additional reform is scheduled to become effective 5/4/12. CORI officials have provided preliminary guidance in the form of proposed regulations, but this guidance is subject to change as comments are being accepted through 4/15/12.

Please keep in mind that changes may occur which will impact information presented here. We will continue to post updates as more information becomes available.

Current State
Criminal record checks in Massachusetts may currently be conducted through CORI, in addition to county and federal district** level searches. Some employers, such as schools and healthcare providers, are statutorily required to conduct CORI checks and have full access to CORI data. All other employers have access to a subset of data known as “Publicly Accessible CORI.” (Because of CORI statutory fees and extended turnaround time, unless statutorily required, most employers have opted for county criminal checks.)

Proposed State – Effective May 4, 2012
Under the proposed regulations, three CORI access levels will exist – Required Access for employers with a statutory requirement, Standard Access for employers and landlords and Open Access for the general public. Employers will have numerous new requirements for Standard Access to CORI records. These requirements fall into the following categories:

Standard CORI Access and Processing Requirements for Employers

  • Register and annually renew an iCORI account (CRAs are also required to register and annually renew)
  • Maintain a CORI policy if five or more CORI checks are conducted per year (Model CORI Policy provided by the State)
  • Obtain and retain for one year an acknowledgment and consent form, signed by the applicant and employer (the State has not provided a required or sample form as of this writing)
  • Verify the individual’s identity on the acknowledgment and consent form by reviewing government-issued identification
  • If applicable, authorize the CRA to request CORI data on the employer’s behalf and provide the CRA with required compliance attestations
  • If adverse action is considered based on CORI data, the employer must:
    • Comply with applicable federal and state laws and regulations
    • Notify the individual in person, by telephone, fax, or electronic or hard copy correspondence of the potential adverse employment action
    • Provide a copy of the individual’s CORI record to the individual
    • Provide a copy of the employer’s CORI policy (if applicable)
    • Identify the CORI information that is the basis for potential adverse action
    • Provide the individual with the opportunity to dispute the accuracy of the information
    • Provide the individual with instructions on how to correct inaccurate CORI data
    • Document all steps taken to comply with these requirements
  • Maintain a secondary dissemination log for a period of one (1) year following dissemination of an individual’s CORI, which includes:
    • Individual’s name
    • Individual’s date of birth
    • Dissemination date
    • Name of person to whom the information was disseminated
    • Purpose of dissemination
CORI Data Storage, Retention, and Destruction
  • Whether paper or electronic, CORI data may not be retained for more than seven (7) years from the last date of employment (contingent worker, volunteer service, etc.) or the date of the final decision not to employ an individual
  • Hard copy data must be stored in a “separate locked and secure location”
  • Electronic data must be “password protected and encrypted” and not stored in public cloud
  • Hard copies must be destroyed by shredding or similarly secure method
  • Electronic data must be deleted from hard drives and backup systems
  • Electronic data must be permanently deleted before reusing or disposing of computers, hard drives, or media
Other Notes
  • If employment decisions are made within ninety days of receipt of CORI, some legal protections are provided for the employer. First, “failure-to-hire” lawsuits may not be brought against the employer if the CORI data as provided by DCJIS incorrect. Secondly, negligent hiring claims may not be brought against an employer who relied solely on CORI information (without performing additional criminal history checks).
  • Any employer who knowingly violates CORI reform provisions is subject to sanctions up to $50,000 per violation. Human resource professionals and other individuals who knowingly violate the provisions are subject to sanctions up to $5,000 per violation.
  • Individuals are entitled to a copy of the dissemination log held by the state which identifies anyone who has requested the individual’s CORI.
NOTE: It is not clear from the preliminary guidance whether these requirements will apply only to those employers obtaining CORI information or whether some requirements (such as the policy requirement) will also apply to employers obtaining criminal record information from other sources, such as county courts.

More details to come as information is forthcoming from Massachusetts.

* CORI refers to “Criminal Offender Record Information” held in the official criminal record repository in Massachusetts.
** Federal courts hold information based on violation of federal law. This information is not in county or CORI records.